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1. (U) Introduction 

(S//NF) Sonic Screwdriver is a mechanism for executing code on peripheral devices while a Mac laptop 
or desktop is booting. Normally, an Apple Firmware Password prevents alterations of the boot path. 

Sonic Screwdriver’s mechanism for executing code will allow a user to boot to a USB thumb stick, DVD/ 
CD, or external hard drive even when a firmware password is enabled. 

(S//NF) The code for Sonic Screwdriver is stored on the firmware of an Apple Thunderbolt-to-Ethemet 
adapter (see Figure 1.1). The implant code will scan all internal and external media devices for a device 
with a specific volume name. This includes USB thumb drives, CD/DVD disc, and hard drives. If the 
specific volume name is found, it will execute a UEFI boot of that device. 



(U) Figure 1.1: Apple Thunderbolt-to-Ethemet adapter 


(S//NF) The intended CONOP for Sonic Screwdriver is to be able to install EDG/AED tools on a Mac 
even if a firmware password was enabled. EDG/AED tools usually requires an operator to boot to a 
specific device. If a firmware password is enabled, the operator will see a password prompt as in Figure 
1.2 instead the list of bootable devices. If such a screen appears during the operation, the operator would 
then need to reboot the machine with the implanted adapter plugged into the Thunderbolt port, and 
continue with installation of the EDG tool. See Section 4.2 for specific details. 



(U) Figure 1.2: Apple Firmware Password Prompt 

l.l. (S) Notes About Implanted Adapter 

(U) Please note the following: 

o (S//NF) Once an adapter has been implanted, preboot functionality of the device will be 
lost. Currently, the only preboot functionality an Apple ethemet adapter serves is for a 
machine to do a netboot. 

o (S//NF) An implanted adapter will function normally as an ethemet adapter once OSX is 
booted. 

o (S//NF) It has been observed that when an EFI shell is loaded from an implanted adapter, 
not all hard drive partitions are visible due to how early the code gets loaded. Note that if 
a Linux distro is being loaded from the implanted adapter, Linux will initialize the hard 
drive itself and all partitions will be visible to inspect or image. 
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o (S//NF) Once an adapter has been implanted, it will not be possible to restore it factory 
default. Sonic Screwdriver uses a commercially available flashing tool form Broadcom 
to flash the firmware of the adapter. Since this tool does not have a read functionality, a 
pristine bootrom was never obtained. 

2. (U) Tool Requirements 

2.1. (S) Target Computer 

o (U) Any Mac laptop or desktop with Thunderbolt port, see Figure 2. 1 . 

■ The following are a list of models that have been tested with Sonic Screwdriver: 

• MBA5,1 (Mid 2012 - 11”) 

• MBA5,2 (Mid 2012- 13”) 

• MBA4,1 (Mid 2011 - 11”) 

• MB A4, 2 (Mid 2011 - 13”) 

• MBP10,1 (Mid 2012-15” Retina) 

• MBP10,2 (Late 2012-13” Retina) 

• MBP9,1 (Mid 2012 - 15”) 

• MBP9,2 (Mid 2012 - 13”) 

• MBP8,1 (Late 2011 - 13”) 

• MBP8,2 (Late 2011 - 15”) 

2.2. (U) Requirements for Building 

o MacBook Air 5,1 or 5,2 (Mid 2012 - 11” or 13”) 
o External USB DVD/CD-Rom drive to boot the installer, 
o Apple Thunderbolt-to-Ethemet Adapter 



Thunderbolt port 


(U) Figure 2. 1 : Thunderbolt port 
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3. (U) Building and Configuring 

(S//NF) This section contains instructions for building Sonic Screwdriver. The first section will discuss 
how to flash the code onto a new Apple Thunderbolt-to-Ethemet adapter. The second section will discuss 
how to configure the boot media intended to be executed by the implanted ethemet adapter. 

3.1. (S) Implanting Ethernet Adapter 

(S//NF) The Apple Thunderbolt-to-Ethemet Adapter can only be flashed in a real mode operator system, 
such as MS-DOS. A CD ISO image is packaged with the tool to make flashing the adapter as seamless as 
possible. 

1. (U) Locate the following ISO image and bum the image to a DVD or CD: 

UNCLASSSonicScrewdriverlnstall.iso 

2. (U) Plug in the ethemet adapter into the Thunderbolt port of the MacBook Air mentioned in 
Section 2.2. Also plug in the external USB DVD/CD-ROM drive with the DVD/CD created 
from step 1 . 

3. (U) Power up the MacBook Air holding down the ‘option’ key. 

4. (U) After a few seconds, a number of boot options should start to appear. 

5. (U) Select ‘Windows’. This should be the only option with a DVD/CD icon above it. 

6. (U) Let the installer fully boot. All the default options should be fine. 

7. (U) Once the DVD/CD boots into FreeDos, the installer will automatically run the Broadcom 
flash utility to detect the flash in the adapter. There should be only one device listed at size 64K. 

a. (U) If there are no devices listed, ensure the adapter is firmly plugged into the 
Thunderbolt port, and repeat back to step 3. 

8. (U) Type the following at the command line: 

B57UDIAG.exe -ppxe x:\ss.rom 

9. (U) It will take roughly 1-2 mins to complete the reprogramming of the adapter. Programming is 
complete when control is passed back to the command prompt. Power down system by holding 
the power button. 

3.2. (S) Configuring Boot Media for Target 

(S//NF) Once the Thunderbolt-to-Ethemet adaptor has been implanted, it will search all media devices for 
a specific volume name and a file path to execute. This includes both internal and external hard drives, 
CD/DVD drives, and USB thumb sticks. The external hard drives and CD/DVD drives can be connected 
via USB, Firewire, or Thunderbolt. Hard disk can be formatted FAT16, FAT32, or HFS+. Hard disk 
formatted NTFS or ext* will NOT be detected. 
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(S//NF) The volume name that will be search for is: 

FILER 

(S//NF) Please note that the volume name above is case sensitive in filesystems that allow for case 
sensitivity, such as HFS+. 

(S//NF) The file path to be execute under the volume FILER will be: 

/EFI/BOOT/BOOTX64.efi 

(S//NF) The file path above is the specified default boot path for EFI systems. For example, a EFI 
complaint Lunix distro DVD will have this path with the file BOOTX64.efi as the Linux bootloader for 
that distro. If it is desired to have the implanted ethemet adaptor launch this distro, one would only need 
to modify its volume name to be FILER. If it is desired to have the implanted ethemet adapter launch an 
EFI implant, one would need to rename the volume and copy the EFI implant to the file path above on an 
appropriate media device. 


4. (S) Executing Sonic Screwdriver on Target Machine 
4.1. (U) Steps to gain executions 

(S//NF) The implanted ethemet adapter needs to be plugged into the Thunderbolt port when the computer 
is powered on in order for code to be executed. If the adapter is plugged it after the machine is powered 
on, no implant code will be executed. 

1 . (U) Plug in ethemet adapter to Thunderbolt port. 

2. (U) Plug in boot media configured from Section 3.2. 

3. (U) Power on machine. 

4. (U) The device should automatically boot without any key presses. 

a. (U) If it does not, there has been observations that certain models of Apple Macs does 
not pick up certain USB devices. Take the follow step if this is occurring. 

b. (S//NF) Repeat steps 1-3, but now hold the OPTION key while booting up. Once either 
a boot list or firmware password screen boots, unplug the boot media device and plug it 
in again. It should then automatically get loaded. 

4.1. .11. (U) Using Sonic Screwdriver with EDG Tool DerStarke 

(S//NF) DerStarke is an EDG/AED EFI firmware implant against Apple Mac laptops and desktops. It is 
installed with physical access via a USB thumb stick or CD/DVD disc. Please refer to DerStarke 1.3 
User’s Guide for information on how to build the USB thumb stick or CD/DVD. 
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(S//NF) By default, the DerStarke builder will define the volume name and file path of implant with the 
same values as listed in Section 3.2. This means no other configuration will be needed when executing 
Sonic Screwdriver and DerStarke together. 

(S//NF) To install DerStarke: 

1. (S//NF) Plug in the USB thumb stick or CD/DVD with the DerStarke installer. 

2. (U) Flold down the power button for 10 secs until the machine starts to boot. If sound was 
enabled, a loud bong will be audible. If sound was disabled, a white screen will be the only 
indicator. 

a. Holding the power button will boot the machine into a flash recovery mode that is 
required to install DerStarke. An error message will result if the power button is not 
held down for 10 sec. 

3. (U) Hold down the OPTION key in order see all the boot options 

4. (S//NF) If a list of boot options appears, a firmware password was not enabled. Choose ‘EFI 
Boot’ with the USB or CD icon (depending which media DerStarke was built to). This will 
complete DerStarke installation. 

5. (U) If a prompt for a password appears, a firmware password was enabled. 

a. (U) Please note that the prompt should be similar to Figure 1.2. If the screen looks more 
complex, there is a probability that the OPTION key did not register fast enough, and 
the target machine booted into either an OSX or a FileVault2 password screen. 

6. (S//NF) Power down the system, and reboot with the implanted ethemet adapter and the 
DerStarke media inserted. Do not forget to hold down the power button for 10 secs. Holding 
down the OPTION key is not required when the implanted ethemet adapter is plugged in. 

a. (S//NF) DerStarke installation should automatically without any key press interactions. 
If it does not, it is possible that Mac and USB stick might required a unplug and re -plug 
in as mentioned in Section 4. 1 . 

b. (S//NF) Repeat steps 1-3, but now hold the OPTION key while booting up. Once the 
firmware password screen boots, unplug the boot media device and plug it in again. It 
should then automatically get loaded. 


[End of User’s Guide] 
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